Slashdot Mirror

← Back to Stories (view on slashdot.org)

Where Has All My Spam Gone?

Posted by kdawson on from the yesterday-upon-the-stair dept.

An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"

36 of 597 comments (clear)

  1. Hmm by geminidomino · · Score: 5, Informative

    *Checks mail logs*

    Yeh, you need to ask the ISP again. No sign of slowing here.

    1. Re:Hmm by urbanriot · · Score: 4, Informative

      Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

    2. Re:Hmm by Southpaw018 · · Score: 5, Informative

      Thirded over here. Solid 7000/day for months (small business).

      --
      ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
    3. Re:Hmm by y86 · · Score: 5, Informative

      Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

      You should REALLY consider trying postgrey.

      http://postgrey.schweikert.ch/

      Postgrey on non whitelisted servers rejects the first mail attempt with a fail. The sending email server will retry X times, but the 2nd time it accepts it and adds the server to the whitelist.

      Postgrey will add a 5 minute lag to an email that's sending server has never sent an email to you. It's worth it to screw the spammers zombies over IMHO.

      Also, I would check your postfix/whatever you are using for a mail servers policy. I get 0 spam emails now and my address is posted all over the web.

      I do have spamassassin running as well with sieve filtering to put what is marked as spam in a junk folder but the junk folder is empty, every now and then I'll see something -- but very rarely. Like once every 2 months.

      Here's my spam prevention system :-)

      smtpd_recipient_restrictions =
          permit_mynetworks,
          permit_sasl_authenticated,
          reject_unauth_destination,
          reject_non_fqdn_sender,
          reject_unknown_sender_domain,
          reject_non_fqdn_recipient,
          reject_unknown_recipient_domain,
          reject_unauth_destination,
          reject_rbl_client zen.spamhaus.org,
          reject_rbl_client bl.spamcop.net,
          check_policy_service inet:127.0.0.1:60000

    4. Re:Hmm by j-cloth · · Score: 5, Informative

      A huge second to PostGrey. It kills 90% of my incoming spam before it even touches spamassassin. However, I have noticed a few people who receive failure messages from their mail systems telling them that they've been greylisted before the mail goes through. Then uppy-ups whine to me.

    5. Re:Hmm by petermgreen · · Score: 3, Informative

      I use greylisting, it reduced spam to almost zero for a while but then it gradually climbed back to previous levels and more.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    6. Re:Hmm by Anonymous Coward · · Score: 2, Informative

      it's YOUR not YOU'RE *shoots you*

    7. Re:Hmm by Anonymous Coward · · Score: 1, Informative

      Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

      You should REALLY consider trying postgrey.

      There are lots of good greylisting systems out there.

      And how do you know he isn't getting hundreds of spams a day even with greylisting? Many spammers are aware of greylisting and will retry.

    8. Re:Hmm by wmbetts · · Score: 5, Informative

      I use to read a lot of not so nice forums when I was really into Info Sec and I always heard them referred to as "The Russian Business Network"

      --
      "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
    9. Re:Hmm by stevey · · Score: 2, Informative

      My mail filtering service is currently hovering around 2.3 million mails - which is a little down from its peak.

      Still these things tend to even out over time; a few days/weeks of lower-than-average SPAM totals then a few more of higher than average.

      With only a couple of domains, anecdotally at that, I'd be inclined to assume nothing has changed significantly.

    10. Re:Hmm by jdmetz · · Score: 2, Informative

      A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)

      Please don't. There is no reason that mail servers shouldn't exist on home/dynamic IP addresses. This is one area where I'm actually happy with my AT&T DSL service - they block outbound port 25 connections by default, but allow you to opt out of the blocking if you want to run your own mail server.

    11. Re:Hmm by jonbryce · · Score: 2, Informative

      That's a nice theory, but in practice, I have seen a huge increase in spam recently. Mostly CNN and MSNBC News Alerts that require me to download an updated version of Adobe Flash Player.

    12. Re:Hmm by Anonymous Coward · · Score: 1, Informative

      Very few spammers actually retry for a few reasons:

      1. It's expensive. This is one of the strengths of greylisting. It is more expensive for the sender than the recipient.

      2. Greylisting indicates an administrator with a reasonable level of spam awareness. Chances are fair that your spam will never be seen by anyone on that server anyway.

      3. Relatively few places greylist.

    13. Re:Hmm by orclevegam · · Score: 3, Informative

      Russian Business Network, or RBN, just happens to be one of the largest mafia run botnets/spam organizations. Seeing as the mafia more or less runs the government over there, it's a semi-legal (as in, no one's going to realistically prosecute them) business that operates a massive for-hire botnet. It's not the only one over there, but it is the biggest and most visible one, so a lot of russian botnet activity just gets labeled as RBN.

      --
      Curiosity was framed, Ignorance killed the cat.
    14. Re:Hmm by Capt.DrumkenBum · · Score: 3, Informative

      Just download it already. Then they will stop bothering you. :)

      --
      If I were God, wouldn't I protect my churches from acts of me?
    15. Re:Hmm by KillerBob · · Score: 3, Informative

      Unfair moderation much? I hope you get metamodded back into positive, because that post is definitely not a troll. :(

      --
      If you believe everything you read, you'd better not read. - Japanese proverb
  2. One down by canderley · · Score: 5, Informative

    Per Ars, a 100,000 machine bot net was shut down recently. http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

    1. Re:One down by Anonymous Coward · · Score: 3, Informative

      Did you read that article?
      "Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."

  3. Shadow botnet was killed recently by Nimey · · Score: 4, Informative

    http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

    That may account for some of it.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  4. A "Shadow" of their former selves? by DCheesi · · Score: 3, Informative

    Were the missing spam-mails mostly in Dutch?

    http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

    "Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."

    ...

    "Once Shadow was secured, the police contacted Kaspersky Labs about providing a means to neutralize the malware."

  5. Reality... by Capt+James+McCarthy · · Score: 3, Informative

    Without seeing your logs, most folks would be guessing. They symptoms you provide are not enough to make an educated guess. I would say to bump up the verbosity of your email server, SpamAssassin, and the system itself and then go from there.

    --
    There are no loopholes. It's either legal or it's not.
  6. Fake News Alerts by pipingguy · · Score: 2, Informative

    Fake news alerts seem to be the new thing for my inbox.

  7. not on this end by JohnCub · · Score: 2, Informative

    our spam seems to be climbing.
    # of spams / date (m/d)
    16,037 8/15
    17,385 8/14
    17,287 8/13
    16,352 8/12
    15,171 8/11
    16,505 8/10
    14,344 8/9
    12,157 8/8
    12,465 8/7
    11,942 8/6
    12,265 8/5
    10,124 8/4
    11,437 8/3
    13,417 8/2
    12,858 8/1

    --
    -= Why can't I add 'Anonymous Coward' to my list of Foes? =-
  8. I just checked one of our Ironport Servers by Phil_at_EvilNET · · Score: 3, Informative

    In a 24 hour period we've gone from a peak of about 75,000 messages at 9pm CST last night to a low of 40,000 messages incoming today, 97.3% of which are spam. Total for the last 24 hours on that single Ironport (we have 4 in production and one in the lab) is 1.4 Million attempted messages, of which 36.1 thousand were clean.

    So all things taken into consideration, consider yourself fortunate. We're still seeing a trend that indicates that over 97% of all incoming mail is garbage.

    -Phil

    --
    To avoid corruption, one must remain dishonest.
  9. Re:headless botnets by drachenstern · · Score: 2, Informative

    lemme guess, most common infection name is Antivirus XP 2008?

    I've started having those pop up left and right, and you are correct, once you think you have the virus gone, you think you're clean. EEEEEEE wrong. There's actually a botnet hiding behind that virus load, and if you don't pull it off, it does it's own direct port 25 push. I've three computers in my near vicinity that all have that loaded on their systems, and at first I was ready to wipe the frigging machine.

    Don't forget to clear system restore too!!!

    --
    2^3 * 31 * 647
  10. Re:I'm getting it by PARENA · · Score: 3, Informative

    Russian I was getting for a while, as well. Not anymore. /dev/null for anything with charset koi8-r or windows-1251.

    CNN I was getting for a few days. Seems to have disappeared again.

    --
    Here's the secret to immortality: ...oh dang, I forgot.
  11. Infected PC are offline during summer ^_^ by Kirys · · Score: 5, Informative

    Most spam is sent by bot-nets, mostly composed by infected pc of workplaces, school and private homes. In many countries during the second and third week of August many schools and workplaces are closed so their pc are just turned off, this mean that the bot-nets have less active nodes and so are less effective. I do receive less spam too but I think that it will be back to the sad old amount at the end of the summer :(

    --
    Unluckily Murphy was right.
  12. Re:I'm getting it by growse · · Score: 3, Informative

    Simple. Configure your mailserver to block all bounce messages unless they originate from a server that you've sent a mail to in the past 12 hours. Then you'll only get legit bounces.

    --
    There is nothing interesting going on at my blog
  13. Re:I have it by Hal_Porter · · Score: 1, Informative

    Memez are in ur brainz, eating ur intelligence.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  14. Already going on. by Medievalist · · Score: 4, Informative

    Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

    Spammers and virus writers employed by spammers to create their zombie pools have been turning up dead for almost two years now.

    1. Re:Already going on. by swilde23 · · Score: 2, Informative

      That doesn't really tell you much though (except for the fact that a prominent spammer died recently).
      I would try looking at something more like this for information about spammers dying in the past few years: http://news.google.com/archivesearch?q=spammer+found+dead&sa=N&lnav=m&scoring=t

      --
      There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
  15. Re:I'm getting it by petermgreen · · Score: 5, Informative

    and you will block quite a few legit bounces too for two reasons

    1: 12 hours is nowhere near long enough
    2: the message may be routed through multiple servers before finally getting bounced.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  16. Re:headless botnets by Lord+Ender · · Score: 2, Informative

    Cite my source? I am the primary source. I have a forensic image of such a machine sitting right next to me.

    Not everything on the internet originates at some other place on the internet. Somewhere, original sources actually exist, and they have nothing else to cite.

    I have seen four such infections, all came through hotmail (we think).

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  17. Re:Totally OT: Chinese youth in Olympics by LearnToSpell · · Score: 2, Informative

    What are you talking about?

    Beam scores:
    Liukin - 16.125
    Johnson - 16.050
    Yang - 15.750

    I swear, I've never heard anybody but Americans complain about judging in an event that they WON.

    --
    Haida Manga
  18. Yes, I can confirm this too by Nitromaroder · · Score: 2, Informative

    Here, in Germany, I've noticed this also: On my private mail server, the SPAM is almost gone (only 1-3 messages per day, instead of 20-30), at work I have similar experience: the amount of continuous SPAM per day is down to 1/10, but, every Thursday or Friday (since three weeks now), we get a huge wave of SMTP connections at ca. 4 pm CEST (from bot nets), which almost breaks down our internet connection. Both systems are using postfix+postgrey+amavis(spamassassin, dcc, razor, etc.). My suspicion: I am assuming my brothers are busy now with Georgia servers, so as long as the conflict in Caucasus is not over... :-P Kind regards, Denis

  19. Here's where your spam went by buss_error · · Score: 3, Informative

    1. If you've made no configuration changes or patches in the past week, that pretty much lets out program error.

    2. If your ISP is saying they don't do spam filtering, then that pretty much lets that out too, unless your ISP is given to lying to you.

    3. Others point to the cyber war between Georga and Russia. I'd think that those folks would have their own bots not associated with spamming, but I can't prove that.

    4. It surpasses hope that all the sudden people cleaned up their pwon3d systems.

    5. My spam levels have not dropped appreciably, and I not only have my own domain, but allocations as well.

    6. I have noticed at times in the past that my spam levels do drop by 60, 70, even 80%. They always pick back up before too long. Enjoy a breif respite.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.